Suppose there are $u$ users and each user $i$ possesses $x_i\in\{0,1\}^n$
and a function $F_i:\{0,1\}^{nu} \rightarrow \{0,1\}^m$. Then we wish to
construct a protocol such that at its completion, each user $i$ knows
$F_i(x_1,...,x_u)$ but knows nothing more about $x_j$ for $j \ne i$.

Clearly this could be done with a trusted third party, but we want to do it
without one.

Security models:

Honest-but-curious: all $u$ parties follow the protocol honestly,
and a protocol is $t$-private if any $t$ parties who collude at the end
of the protocol learn anything beyond their own outputs from their
transcripts.

To prove a protocol is $t$-private, we build a simulator that, when
given inputs and outputs of $t$ colluding parties, generates $t$
transcripts from the same distribution as the actual protocol.
(For this implies anything the colluding users can learn from
their transcripts can
be learnt from their inputs and outputs alone.)

Malicious users: the adversary controls a fixed set of $t$ users.
The remaining $u-t$ users are honest. A protocol is $t$-secure if
the adversary learns nothing about the $u-t$ user inputs beyond the
outputs of the $t$ corrupt parties.

Usually, the goal is to construct a $t$-secure, $t'$-private protocol
for some $t' \ge t$.

Dynamic adversary: in this case, at any time period, the
adversary can corrupt any $t$ users.

1-privacy proof: user 1’s transcript is
$[x_1,r_1,s_1,r_2,r_3,y_2,y_3,x_1+x_2+x3]$. Then we construct a simulator
as follows: given $x_1, z=x_1+x_2+x_3$, we generate the transcript
by picking $r_1,s_1,r_2,r_3,y_2\leftarrow \mathbb{F}_p$,
setting $y_1 = (x_1-r_1-s_2)+r_2+r_3$, and outputing
$[x_1,r_1,x_1,r_2,r_3,y_2,z-y_1-y_2,z]$.
From user 1’s view, $y_2$ is random because user 1 never sees $s_3$.
We can construct simulators for the other users in a similar fashion.

This protocol generalizes to $n$ parties and any linear combination,
and becomes a $(n-2)$-private protocol. It is sometimes referred to
as Benaloh’s protocol.

Modeling Cryptographic Protocols

Practically any cryptographic protocol can be described in terms of SFE.
For example:

Identification: $A$ has a secret key $x$, and a public key $f(x)$ for
some one-way function $f$, and wishes to prove possession of $x$ to $B$.